Behavioral-based control of access to encrypted content by a process

US 9,984,248 B2
Filed: 02/12/2016
Issued: 05/29/2018
Est. Priority Date: 02/12/2016
Status: Active Grant

First Claim

Patent Images

1. A computer program product for securing an endpoint against exposure to unsafe or unknown content, the computer program product comprising computer-executable code embodied in a non-transitory computer readable medium that, when executing on the endpoint performs the steps of:

encrypting a plurality of files on an endpoint to prevent unauthorized access to the plurality of files;

monitoring an exposure state of a process on the endpoint to potentially unsafe content by applying a plurality of behavioral rules to determine whether the exposure state of the process is either exposed or secure, wherein (1) the process is initially identified as secure, (2) the process is identified as exposed when the process opens a network connection to a Uniform Resource Locator that is not internal to an enterprise network of the endpoint and that has a reputation that is poor, (3) the process is identified as exposed when the process opens a first file that is identified as exposed, and (4) the process is identified as exposed when another exposed process opens a handle to the process; and

restricting access by the process to the plurality of files when the process is exposed by controlling access to the plurality of files through a file system filter that conditionally decrypts one or more of the plurality of files for the process according to the exposure state of the process.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Securing an endpoint against exposure to unsafe content includes encrypting files to prevent unauthorized access, and monitoring an exposure state of a process to potentially unsafe content by applying behavioral rules to determine whether the exposure state is either exposed or secure, where (1) the process is initially identified as secure, (2) the process is identified as exposed when the process opens a network connection to a URL that is not internal to an enterprise network of the endpoint and that has a poor reputation, (3) the process is identified as exposed when it opens a file identified as exposed, and (4) the process is identified as exposed when another exposed process opens a handle to the process. Access to the files may be restricted when the process is exposed by controlling access through a file system filter that conditionally decrypts files for the process according to its exposure state.

53 Citations

View as Search Results

18 Claims

1. A computer program product for securing an endpoint against exposure to unsafe or unknown content, the computer program product comprising computer-executable code embodied in a non-transitory computer readable medium that, when executing on the endpoint performs the steps of:
- encrypting a plurality of files on an endpoint to prevent unauthorized access to the plurality of files;
  
  monitoring an exposure state of a process on the endpoint to potentially unsafe content by applying a plurality of behavioral rules to determine whether the exposure state of the process is either exposed or secure, wherein (1) the process is initially identified as secure, (2) the process is identified as exposed when the process opens a network connection to a Uniform Resource Locator that is not internal to an enterprise network of the endpoint and that has a reputation that is poor, (3) the process is identified as exposed when the process opens a first file that is identified as exposed, and (4) the process is identified as exposed when another exposed process opens a handle to the process; and
  
  restricting access by the process to the plurality of files when the process is exposed by controlling access to the plurality of files through a file system filter that conditionally decrypts one or more of the plurality of files for the process according to the exposure state of the process.
- View Dependent Claims (2, 3, 4)
- - 2. The computer program product of claim 1 wherein the reputation of the Uniform Resource Locator is obtained from a remote threat management facility.
  - 3. The computer program product of claim 1 wherein the file system filter conditionally decrypts one or more of the plurality of files using a cryptographic key, and further wherein the file system filter is configured to respond to an indication of compromise for the endpoint by deleting the cryptographic key on the endpoint.
  - 4. The computer program product of claim 1 wherein restricting access by the process to the plurality of files includes maintaining access to any of the plurality of files that have been opened by the process before the process became exposed, and preventing access to other ones of the plurality of files.

5. A method comprising:
- encrypting a plurality of files on an endpoint to prevent unauthorized access to the plurality of files;
  
  monitoring an exposure state of a process on the endpoint to potentially unsafe content by applying a plurality of behavioral rules to determine whether the exposure state of the process is either exposed or secure, wherein the process is initially identified as secure and the process is identified as exposed based on contact with content other than the plurality of files;
  
  identifying the process as exposed according to the plurality of behavioral rules, wherein (1) the process is identified as exposed when the process opens a network connection to a Uniform Resource Locator that is not internal to an enterprise network of the endpoint and that has a reputation that is poor, (2) the process is identified as exposed when the process opens a first file that is identified as exposed, and (3) the process is identified as exposed when another exposed process opens a handle to the process; and
  
  restricting access by the process to the plurality of files when the process is exposed.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 6. The method of claim 5 further comprising identifying the first file as exposed when at least one of the following conditions is met:
    - (1) the first file is not one of the plurality of files;
      
      (2) the first file is saved by a second process that is identified as exposed; and
      
      (3) a source of the first file has a low reputation.
  - 7. The method of claim 5 further comprising identifying the first file as exposed based upon a scan of the first file.
  - 8. The method of claim 5 further comprising obtaining the reputation for the Uniform Resource Locator from a remote threat management facility.
  - 9. The method of claim 5 wherein restricting access by the process to the plurality of files includes controlling access through an extension to a file system for the endpoint, further wherein the extension conditionally decrypts one or more of the plurality of files for the process according to the exposure state of the process.
  - 10. The method of claim 9 wherein the extension conditionally decrypts one or more of the plurality of files using a cryptographic key, and further wherein the extension is configured to respond to an indication of compromise for the endpoint by deleting the cryptographic key on the endpoint.
  - 11. The method of claim 9 wherein the extension includes at least one of a mount point for the file system and a file system filter for the file system.
  - 12. The method of claim 5 wherein restricting access by the process to the plurality of files includes maintaining access to any of the plurality of files that have been opened by the process before the process became exposed, and preventing access to other ones of the plurality of files.
  - 13. The method of claim 5 further comprising monitoring a security state of the process and restricting access by the process to the plurality of files when the security state is compromised.
  - 14. The method of claim 13 wherein monitoring the security state includes remotely monitoring the security state at a threat management facility or locally monitoring the security state with a malware file scanner.
  - 15. The method of claim 5 further comprising initiating a remediation of the process when the process is exposed, the remediation including facilitating a restart of the process.
  - 16. The method of claim 15 wherein, if the remediation is successful, restoring access to all of the plurality of files by the process.
  - 17. The method of claim 5 further comprising providing a notification to a user in a display of the endpoint, the notification indicating a required remediation step for the process to resolve the exposure state, and the notification informing the user that an application associated with the process cannot access additional files until the user completes the required remediation step.

18. A system comprising:
- an endpoint;
  
  a first memory on the endpoint storing a plurality of files, the plurality of files encrypted to prevent unauthorized access;
  
  a process executing on the endpoint;
  
  a file system on the endpoint configured to manage access to the plurality of files by the process, the file system including an extension configured to monitor an exposure state of the process and to restrict access to the one of the files based on the exposure state of the process by conditionally decrypting the one of the files based on the exposure state;
  
  an integrity monitor configured to evaluate the exposure state by applying a plurality of behavioral rules to determine whether the exposure state of the process is either exposed or secure, wherein the process is initially identified as secure and the process is identified as exposed based on contact with content other than the plurality of files, wherein the integrity monitor is further configured to identify the process as exposed according to the plurality of behavioral rules, wherein (1) the process is identified as exposed when the process opens a network connection to a Uniform Resource Locator that is not internal to an enterprise network of the endpoint and that has a reputation that is poor, (2) the process is identified as exposed when the process opens a first file that is identified as exposed, and (3) the process is identified as exposed when another exposed process opens a handle to the process; and
  
  a remediation component configured to remediate the process from the exposed state to the secure state for unrestricted access to the plurality of files.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sophos Limited (Sophos Group Ltd.)
Original Assignee
Sophos Limited (Sophos Group Ltd.)
Inventors
Ray, Kenneth D., Thomas, Andrew J., Merry, Anthony John, Schtz, Harald, Berger, Andreas, Shaw, John Edward Tyrone
Primary Examiner(s)
McNally, Michael S

Application Number

US15/042,916
Publication Number

US 20170235967A1
Time in Patent Office

837 Days
Field of Search

713165
US Class Current
CPC Class Codes

G06F 21/52   during program execution, e...

G06F 21/54   by adding security routines...

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 21/602   Providing cryptographic fac...

G06F 21/6218   to a system of files or obj...

G06F 2221/033   Test or assess software

G06F 2221/2107   File encryption

H04L 63/02   for separating internal fro...

H04L 63/1408   by monitoring network traff...

H04L 63/20   for managing network securi...

Behavioral-based control of access to encrypted content by a process

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

53 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Behavioral-based control of access to encrypted content by a process

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

53 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links